Detection rules › Kusto Query Language

Potential re-named sdelete usage (ASIM Version)

Author: Microsoft Security Research
Source: upstream

'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host. This detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization'

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036` Masquerading
Impact	`T1485` Data Destruction

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	5	Process terminated
Security-Auditing	4688	A new process has been created.
Security-Auditing	4689	A process has exited.

Stages and Predicates

Stage 1: `source`

imProcess

Stage 2: `where`

CommandLine match ["accepteula", "-s", "-r", "-q"]

Stage 3: `where`

not
  Process ends_with "sdelete.exe"

Stage 4: `where`

not
  CommandLine match "sdelete"

Stage 5: `extend`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`Process`	ends_with	`sdelete.exe`
1	`CommandLine`	match	`sdelete`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-q` corpus 2 (sigma 2) `-r` corpus 3 (sigma 3) `-s` corpus 2 (sigma 2) `accepteula` corpus 3 (sigma 3)

Potential re-named sdelete usage (ASIM Version)

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where